​Kaspersky patched one bug, but more to come says Google’s antivirus hacker

Russian antivirus firm Kaspersky may need to follow up is most recent patch with more fixes if a Google security researcher is right.

Kaspersky, which has been recently deflecting claims it doctored files to throw off its antivirus rivals, rushed out a patch over the weekend to address a bug in its own product that was reported by Google security engineer, Tavis Ormandy.

Ormandy on Saturday revealed he had reported a bug to Kaspersky, which could be exploited remotely and without user interaction, meaning a computer running vulnerable Kaspersky antivirus products could be commandeered by an attacker simply by visiting a rigged website.

Kaspersky on Monday said it had pushed out a patch over the weekend, within a day of receiving Ormandy’s report. Users would receive the update automatically.

Given the automatic update many Kaspersky users wouldn't have noticed the fix but they may be receiving further security updates this week to fix more flaws that Ormandy reported on Monday.

“Alright, sent Kaspersky some more vulnerabilities to investigate, many obviously exploitable. I'll triage the remaining bugs tomorrow,” said Ormandy.

It’s not clear from the statement how serious the bugs are, nor how they can be exploited.

CSO Australia has asked Kaspersky whether it’s received the latest report from Ormandy and whether it can confirm the bugs do exist.

Ormandy, a member of Google’s elite hacker group Project Zero, has previously called out Kaspersky’s rivals Sophos and ESET for security flaws. The security engineer has also had run-ins with researchers at antivirus vendors over his disclosure practices.

Graham Cluley, formerly of Sophos, in 2010 criticised Ormandy for publishing exploit code based on flaws he’d found in a Windows component and had only given Microsoft five days to fix the problem before revealing them. Cluley noted at the time that hackers were quick to exploit the information Ormandy divulged. Two years later Ormandy later revealed flaws in Sophos' products, though was more generous with his disclosure deadline than he was with Microsoft.

Cluley suggested in a blog post on the weekend, that Ormandy, in selecting the day before a public holiday in the US, may have an agenda to make life difficult for antivirus vendors.

“One has to question the timing of Ormandy's announcement just before a long holiday weekend in the United States, which clearly makes it difficult as possible for a corporation to put together a response for concerned users.”

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.